The European Supervisory Authorities (EBA, EIOPA and ESMA – ESAs) have been urged to issue no-action letters to national competent authorities (NCAs) on the Digital Operational Resilience Act (DORA) enforcement due to legal uncertainties.

PensionsEurope and the European Association of Paritarian Institutions (AEIP) have sent a letter to the ESAs to “respectfully ask” them to make contact with NCAs “as soon as practicable, ahead of the 17 January 2025 date for DORA’s entry into application”.

“In doing so, the competent authorities should not prioritise any supervisory or enforcement action on DORA. It would also be consistent with Ursula von der Leyen's political guidelines of July 2024 that call for simplifying implementation and reducing administrative burden as a task for each commissioner,” the associations argued.

Their request is due to the legal uncertainty arising from the absence of final Level 2 texts, such as the implementing technical standard (ITS) on the register of information and the regulatory technical standard (RTS) on subcontracting. They believe this makes it “challenging to prepare for DORA compliance”.

“As the application date of DORA set for 17 January 2025 is looming, the lack of final delegated and implementing acts supplementing the level 1 DORA text raises legitimate concerns about the correct application of this new framework. Thus, it provides a sound legal basis for the ESAs to issue no-action letters,” they wrote.

The two associations noted that the main issues arising from the implementation of DORA are the renegotiation of contracts throughout ICT outsourcing value chains, the delivery of the register of information, and the reporting on major ICT-related incidents.

However, contract renegotiations cannot be finalised while there is legal uncertainty, they wrote. On a register of information, the letter stated that financial entities were only informed H2 2024 of the European Commission’s decision to reject it, after the ESA’s published their opinion.

“In the absence of the final text entering into force, PensionsEurope and AEIP consider the application date of 17 January 2025 as insufficient for the entities to grant optimal implementation of DORA. It is crucial to have information from subcontracting chains to report major ICT-related incidents. However, this cannot be fully ensured as contract renegotiations are ongoing and as long as there remains uncertainty regarding the RTS on subcontracting,” they wrote.

---